How to Control Permissions for the Contact Form 7 Plugin

Contact Form 7 is one of the most popular plugins in the WordPress world. However, it is a fairly basic plugin that lacks some key features such as access control.

In this guide, I'll show you how to control access to Contact Form 7 features. We'll use the PublishPress Capabilities plugin. If you want to take this tutorial a step further, check out how to control access to Contact Form 7 admin menus.

Getting started with Contact Form 7 permissions

By default, almost all WordPress users can access the list of forms in Contact Form 7. The only exception are “Subscriber” users who can't see any forms.

This image below shows what a “Contributor” user will see. They can see all the forms on the site.

Contact Form 7 Defaults
Contact Form 7 Defaults

However, only Administrators and Editors can edit the forms. This next image shows what a Contributor will see if they try to edit a message: “You are not allowed to edit this contact form.”

Contributor Contact Form 7
Contributor Contact Form 7

This table has a rundown of the default permissions for Contact Form 7:

WordPress user roleCan see the list of formsCan edit the forms

Understanding the default permissions for Contact Form 7

Contact Form 7 does have slightly confusing system for managing permissions, so please read this next part carefully.

Technically, Contact Form 7 does provide several capabilities. You'll find these in the /includes/capabilities.php file.

  • wpcf7_edit_contact_form
  • wpcf7_edit_contact_forms
  • wpcf7_read_contact_form
  • wpcf7_read_contact_forms
  • wpcf7_delete_contact_form
  • wpcf7_delete_contact_forms
  • wpcf7_manage_integration
  • wpcf7_submit

However, those capabilities are not directly useable. This is because these capabilities are mapped onto default WordPress permissions. You'll find this in the /includes/contact-form.php file.

'edit_post' => 'wpcf7_edit_contact_form',
'read_post' => 'wpcf7_read_contact_form',
'delete_post' => 'wpcf7_delete_contact_form',
'edit_posts' => 'wpcf7_edit_contact_forms',
'edit_others_posts' => 'wpcf7_edit_contact_forms',
'publish_posts' => 'wpcf7_edit_contact_forms',
'read_private_posts' => 'wpcf7_edit_contact_forms',

However, there's also this in the wp-contact-form-7.php file:

if ( ! defined( 'WPCF7_ADMIN_READ_CAPABILITY' ) ) {
	define( 'WPCF7_ADMIN_READ_CAPABILITY', 'edit_posts' );

if ( ! defined( 'WPCF7_ADMIN_READ_WRITE_CAPABILITY' ) ) {
	define( 'WPCF7_ADMIN_READ_WRITE_CAPABILITY', 'publish_pages' );

So what you see here is a list of the permissions that really control access to Contact Form 7. These are the normal edit, publish and delete permissions for WordPress posts and pages.

How to change Contact Form 7 permissions

You can change the default permissions with the PublishPress Capabilities plugin.

  • After installing, go to “Capabilities” in your WordPress admin menu.
  • In the top-left corner, choose the role you want to edit.
  • Use edit_posts to allow users to edit forms.
  • Use publish_pages to allow users to create new forms.

So these two permissions below will give users almost complete access to Contact Form 7:

Contributor Contact Form 7 1

More advanced Contact Form 7 permission changes

The solution above is not ideal for every site. For example, you may not want a user to edit posts and also contact forms. That is what will happen if you give them the edit_posts capability.

So a more advanced approach is to create your own permissions, based on the Contact Form 7 defaults. Add these to your theme's functions.php file. You can name the new permissions anything you want but I've chosen this format: edit_contactform7 and read_contactform7.

add_filter('wpcf7_map_meta_cap', 'new_contactform7_capabilities',10,1);
function new_contactform7_capabilities($meta_caps) {
    $meta_caps = array(
    'wpcf7_edit_contact_form' => 'edit_contactform7',
	'wpcf7_edit_contact_forms' => 'edit_contactform7',
	'wpcf7_read_contact_forms' => 'read_contactform7',
	'wpcf7_delete_contact_form' => 'delete_contactform7',
	'wpcf7_manage_integration' => 'manage_contactform7' );
    return $meta_caps;
  • Now go to PublishPress Capabilities in your site.
  • Enter these new options into the “Add Capability” box and click “Add to role”.
Add Capability

You can now give these permissions to the user role you choose:

Additional Contact Form 7

I gave those three permissions to the “Contributor” role. I now have a very limited user role that does have full access to Contact Form 7's features:

Contributor Cf 7
Contributor Cf 7

Finally, if you want to go in the opposite direction and remove Contact Form 7 access from some users, check out this tutorial.

Summary of Contact Form 7 permissions

I hope this guide to Contact Form 7 was useful. Yes, this plugin is a little confusing, but the PublishPress Capabilities plugin can help you with any permissions set up that you need.

Also check out our guide to permissions for the Flamingo plugin which helps you store Contact Form 7 messages. There's also a guide available for Gravity Forms permissions.

You might find other PublishPress guides useful including our introduction to bbPress roles and capabilities, plus tutorials on restricting user access in Beaver Builder and Elementor.

If you use the Gutenberg editor, check out how to add contact forms in Gutenberg.

  • Steve Burge

    Steve is the founder of PublishPress. He's been working with open source software for over 20 years. Originally from the UK, he now lives in Sarasota in the USA. This profile is generated by the PublishPress Authors plugin.

    View all posts

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *